Hackers are using the file transfer component used by Windows Update to sneak malware past firewalls...Trojan makers have started to call on BITS to download add-on code to an already compromised computer. "For one simple reason: BITS is part of the operating system, so it's trusted and bypasses the local firewall while downloading files"...

Security experts have been predicting that virus writers would find a way to hijack Microsoft's security patch delivery process to slip their software onto users' computers. They were right...I should note that when I tried this exploit on a Windows XP system running under a limited user account, the attack did not succeed. So if you set up your Windows XP or 2000 machine to run under a limited account, even if you inadvertently download a Trojan, it is very unlikely that it will be able to finish its job.